JavaScript must be enabled in order for you to use Knowledgebase Manager Pro. However, it seems JavaScript is either disabled or not supported by your browser. To use Knowledgebase Manager Pro, enable JavaScript by changing your browser options, then try again.
Learn more.

RFC 7858 specifies DNS over TLS (Transport Layer Security). This article explains how to provide aDNS over TLS service using bind9 and stunnel (https://www.stunnel.org). The setup of a privacy aggregator is at the end.

bind9 configuration: nothing special but if you want to limit external insecure access to the service you can play with listen-on clause address and port, acl or even system firewall as bind9 provides no per transport protocol access control.

stunnel setup for the opportunistic privacy profile:

create a X.509 public key certificate, for instance by:

openssl genrsa -out dns.key 1024

openssl req -new -key dns.key -out dns.crt -x509

this creates a self-signed certificate, enough for clients performing no authentication.

create a stunnel configuration dnstls.conf:

[dns]

accept = 853

connect = 127.0.0.1:53

cert = dns.crt

key = dns.key

The service_name should be dns according to documentation. The DNS over TLS well know port is 853, stunnel will accept any TLS connection on this port and forward content in TCP to 127.0.0.1 (localhost) on port 53 (dns).

launch stunnel in daemon mode using the configuration file:

stunnel dnstls.conf

stunnel setup for the the out-of-band key-pinned privacy profile:

you should use a real X.509 CA but for experiments you can create a CA certificate by:

openssl genrsa -out ca.key 1024

openssl req -new -key ca.key -out ca.crt -x509 -extensions v3_ca

create a X.509 public key certificate in a X.509 Certificate Authority, for instance the homemade CA:

forwarders makes all queries to be forwarded to the designated service on another port, forward only disables fallback to standard resolution, the tcp-only clause in the server entry enforces the use of TCP transport (note this feature was added in version 9.11).

stunnel setup for a privacy aggregator is in client mode with for instance: